Classifying and Protecting Data in Office 365

Leave a comment

In my previous post, I introduced how to classify data with Azure Information Protection (AIP). In this post, I’ll introduce how to create a policy / label and additional data classification features you can use to enhance and protect your data.

Creating Azure Information Protection Policy (Label)

You can access Azure Information Portal from the Microsoft Azure Portal. With each AIP label, you can further protect your data by applying any or all of the additional features:

  • Create visual markings (header, footer watermark). Watermarks are applied to Word, Excel, and PowerPoint only.
  • Associate Azure Rights Management (RMS) policies
  • Define conditions that could detect data patterns for automatic classification. Custom conditions can be either words, phrases, patterns, and even regular expressions.

Create New Label: The process of creating a new label is pretty straight forward. You will need to provide a label name, and description. Optionally, you can change the color of the label, and add visual markings such as header, footer, and watermark to the documents.

AIP Visual Markings

In this example, I created a label called ‘Confidential Project’, a footer text of ‘Sensitivity: Confidential’, and added ‘Contoso Confidential’ for its watermark. After the label is saved and published, when the user selects the above label, the document displays as shown in the following image.

AIP Document Visual Marking

Note that visual markings are not applied to documents when the label is applied by using File Explorer and the right-click action, or when a document is classified by using PowerShell.

Associate Azure Rights Management (RMS) Policy: Azure RMS is the protection technology used by Azure Information Protection. Azure RMS allows you to set permissions and automatically applies protection for documents and emails.

You can protect your data within AIP by selecting one of the available options:

  • Do not forward – allows recipients to read the message, but cannot forward, print, or copy content.
  • Select a predefined template – must use PowerShell (New-AadrmRightsDefinition) to create templates for the entire organization
  • Set (custom) permissions

By selecting ‘Set permissions’, you can select users or groups from your tenant. You also have an option to select users or domains from outside your organization, and apply different permissions as necessary.


Define Conditions: Within AIP, you can define one or more conditions within a label. You can select from one of the default conditions or create custom conditions. When a document or email matches the condition associated with the label, you can automatically apply the label to the document or email, or visually show the user a recommendation.

AIP Conditions

These are just a few examples of how you can extend AIP and RMS features to protect your documents and email.

Establishing and maintaining an effective security and information management program involve people, process and technologies working in concert. From the technologies standpoint, IT administrators can start by enforcing rules to ensure documents are classified and protected by using tools available in Office 365.

These are some of the features in Azure Information Protection and Exchange Online. In my next post, I will cover how you can protect your data when sharing with external organizations by integrating the footer information used in this post.


Classifying Data with Azure Information Protection (AIP) – Introduction

1 Comment

In my previous post, Benefits of Data Classification, I covered the foundation of data classification.  In this post, I’ll highlight how data classification (labels) can be applied to documents and how you can configure them in Office 365.

Why would you want to classify your data?

As my previous post pointed out “Consistent use of data classification will facilitate more efficient business activities, and lower the costs of ensuring adequate information security.  By classifying data, your organization can prepare to identify the risk and impact of an incident based upon what type of data is involved.”

Most recently, I have been working with Microsoft Azure Information Protection (AIP) to classify and protect data in Office 365. AIP provides classification, labeling, and protection for documents and emails stored in your organization.  Azure Rights Management service (Azure RMS) is the protection technology, and is a component of Azure Information Protection. More information about Azure Information Protection can be found here.

What are Labels?

In AIP, a classification label is used to identify data based on its level of sensitivity and the impact to your business.  Most common sensitivity levels are categorized as restricted, confidential, official use, and public.

AIP can apply labels (classify) to documents and e-mails. The current supported file types for classification according to Microsoft are listed below.  However, in my experience and images use in this post were all done with Office 2016.  Visit this page for the latest information on supported file types.

  • Adobe Portable Document Format: .pdf
  • Microsoft Visio: .vsdx, .vsdm, .vssx, .vssm, .vsd, .vdw, .vst
  • Microsoft Project: .mpp, .mpt
  • Microsoft Publisher: .pub
  • Microsoft Office 97, Office 2010, Office 2003: .xls, .xlt, .doc, .dot, .ppt, .pps, .pot
  • Microsoft XPS: .xps .oxps
  • Images: .jpg, .jpe, .jpeg, .jif, .jfif, .jfi.png, .tif, .tiff
  • Autodesk Design Review 2013: .dwfx
  • Adobe Photoshop: .psd
  • Digital Negative: .dng

Let’s take a look at how AIP can be used by users and administrators.

Classifying Your Documents

Users can assign predefined or customized labels manually or AIP can automatically apply a default label, depending on the version of AIP deployed with Office 365 (automatic classification requires AIP Plan 2).

This image shows the default labels from AIP that users can apply to their document from within Microsoft Word.

AIP Client Labels


I added a few customized and sub-level labels to the existing default ones.  You can modify the pre-existing ones as well.

AIP Customized Client Labels

You can even configure the labels to display in different languages based on your Office client.  In the image below, I configured my labels to display in Spanish.

AIP Client Labels Spanish

Configuring a default label to be applied to documents and e-mails is as simple as clicking the On or Off switch.

AIP Auto Classify2

How are Labels Created?

From Azure Information Protection Admin Portal, you can administer how labels are published to your users.  These are the default and custom labels I created.

AIP Labels

You can also scope or target labels for users or groups.  Just an example, I created a specific label for one of the users in the tenant.

AIP Scoped Policy

As you can see from the above image, all the labels are marked as ‘Global’ with the exception of one sub-label ‘Partners’ where it’s marked as ‘Ben Walters Only’.  All users will see the ‘Global’ labels, but only Ben will see the additional label.  Obviously, you would want to scope your policies to target multiple users or groups.

These are some of the features in Azure Information Protection.  I will cover more features in my next post.

AIP Client Preview 1.10.52

Leave a comment

With the previous version of AIP client Preview ( (the current GA version is ( if you created many new labels, you would have to scroll to select the label.

AIP Preview

I just installed the latest version of Azure Information Protection (AIP) Client Preview, and was excited to see that you can label e-mail and documents by clicking “Protect” in the main ribbon.

AIP Preview

The new AIP PREVIEW version contains many new features, check out the details here.

Benefits of Data Classification

1 Comment

Organizations are overwhelmed with data, from e-mails to confidential documents.  With increased reliance on cloud services like Office 365, data is no longer locked behind the walls of your organization. Today’s organizations and the nature of connecting users, business partners, and suppliers generate a tremendous amount of data.  How can you ensure that important data is protected, without needing to protect everything?


What is data classification?

Data classification is the process an organization follows to develop an understanding of its information assets, categorize those assets to safeguard information and comply with its information security policies, laws, regulations, and compliance obligations.  This is done by applying labels to documents either manually or automatically based on predefined policies.

A typical data classification policy might define information at four levels:

  • Restricted: Data that is considered most critical to the organization. Disclosure of this data could violate or have severe regulatory impact.
  • Confidential: Highly sensitive corporate and customer data that if disclosed could put your organization at financial risk, loss of customer, or disruption of operations.
  • Official Use: Internal data that is not meant for public disclosure. If the data is compromised, would have minimal impact but does not impact profitability or continuing operations of the business.
  • Public: Data that requires no special protection and may be freely disclosed with the public.

Benefits of classifying your data

The sensitivity of data varies significantly from public information to highly confidential trade secrets.  To ensure proper protection, organizations need to identify and classify data, while defining standards and policies to properly handle each type of data.

Consistent use of data classification will facilitate more efficient business activities, and lower the costs of ensuring adequate information security.  By classifying data, your organization can prepare to identify the risk and impact of an incident based upon what type of data is involved.

Compliance – Classifying data, adding labels, and enforcing policies helps your organization meet legal compliance and regulatory requirements.

Usage Rights – By understanding the sensitivity of the data, you can begin to understand who should or shouldn’t have access to it both inside and outside of your organization.

Awareness – data classification helps to ensure employees are more aware of the type of information they are dealing with and its value, as well as their obligations in protecting it to prevent data loss or compromise intellectual property.

End User Empowerment – Data classification brings security to the front of your organization by empowering its users. Many data leaks could be avoided if a data classification solution is in place. Adding visual labels to headers and footers helps to raise end user awareness and assist them in becoming more security focused and avoid sharing sensitive content on USB drives, via e-mail, or could services like Box or Dropbox.

Getting Started

Getting started with data classification requires understanding your organization’s data compliance and security needs. When you are ready to start classifying your data, keep these in mind:

  • Keep the process of classifying data simple for both users and the data custodians
  • Don’t try to classify everything immediately
  • Work with data owners to focus first on the most business-critical, highly sensitive, critical assets and systems

Securing data is a growing challenge, but incremental steps are keys to an organized and classified data model.  Data classification provides a clear picture of the data within your organization’s control and an understanding of where data is stored, how it’s most easily accessed, and how data is best protected from potential security risks.

In this post, I covered the foundation of data classification.  In my next post, I’ll focus on classifying data in Office 365.

Office 365 – Sharing with External Users

Leave a comment

When it comes to collaborating, Office 365 allows colleagues to check availability in Outlook, schedule a Skype for Business meeting, and share files in SharePoint, OneDrive for Business, or Office 365 Groups.  While sharing within your own organization is fairly simple, sharing with external users requires some planning.  External users can be anyone outside your organization; this can include partners and customers.  A technical description of an external user, is a user who does not have an account registered or licensed in your Office 365 tenant.

There are two types of external users – authenticated and anonymous.

Authenticated users are users with a Microsoft account from another Office 365 subscription.  Authenticated users can have the same permissions as any of the internal users within your organization.  You can assign a license to them.

Anonymous users are users who can access a folder or document via a shareable link.  Anonymous users can view, edit, or upload to the folder without having to log in with a username or password.  Anonymous users cannot access sites, and you cannot assign licenses to them.

Where do you start?

Before you can start allowing external users to access your data, you should consider the existing policies set by your organization.  Some of these policies may include:

  • Is external sharing allowed for anyone (anonymous) or just authenticated users?
  • Which domains should be allowed or blocked in Skype for Business?
  • What types of content that cannot or should not be stored in O365?
  • Who can (and should) extend an invitation to an external user?

You may also find that your organization does not have policies in place that address the sharing of content with external users except through e-mail.  If this applies to your organization, it’s important that your Office 365 tenant is configured to limit external sharing until the proper policies and controls can be put into place, thus limiting the risk to the organization.

What are some of the security risks?

While external sharing is a great way to extend your organization to your partners, suppliers, and perhaps even your customers, there are risks that must accounted for.  Some of those risks include

  • Accidental sharing of sensitive content
  • External users with full control might be able to share content with other unintended external users
  • Changes made by anonymous users cannot be tracked

While these risks, and potentially others, apply to your organization, there are processes, settings, and tools within Office 365 that can mitigate the risks and protect your corporate assets and intellectual property.

  • Implement and enforce governance for external sharing
  • Consider using Azure Rights Management (RMS) to encrypt and restrict sharing of the data
  • Implement Data Loss Prevention (DLP) policies to automatically detect sensitive data
  • Send links, not attachments
  • Grant minimum level of permissions to external users
  • Disable external sharing on site collections with sensitive data
  • Disable anonymous sharing

What can you share?

External sharing can be configured separately for the different capabilities in Office 365, but primarily for SharePoint Online, OneDrive for Business, Outlook, Skype for Business, and Office 365 Groups.

SharePoint Online and OneDrive for Business: you can share an entire site, lists and libraries, and documents.  Keep in mind that the external users will need to authenticate to see all of these items while anonymous users can only see documents.  Additionally, SharePoint gives you the ability to limit users who can share with external users.


Office 365 Groups:

  • Conversations – no access to conversation history, but may participate by receiving an e-mail sent to the distribution list
  • Files, Notebook, and Site – you can share an entire site, lists and libraries, and documents
  • Calendar – no access


Exchange (Calendar): you can share free/busy information with time only, with subject and location, or full details


Skype for Business: you can schedule meetings or chat


When it comes to sharing, or collaborating with partners and customers, it is critical to include external sharing as part of your Office 365 governance and security planning.  Remember that a governance plan is not a guarantee for security compliance, users and administrators must observe and follow good practices and policies to minimize the risks.

Transitioning Users to Office 365

Leave a comment

Microsoft Office 365 users in the commercial space have grown to over 85 million, up more than 40% in a year. It’s likely your organization has made the move or will soon be moving to Office 365. If your company has invested in Office 365, the first decision you’ll need to make is where to begin. With the current applications already offered (pictured below), users can be overwhelmed. It’s up to your Office 365 leaders and experts to help users decide what technology or feature to use and when to use them.


The chat-based digital workspace – Microsoft Teams, launched earlier this month, is the latest service offering that will entice more users to use Office 365. This is the new work area within Office 365 that provides a modern conversation experience. It integrates with Skype for Business, so teams can participate in voice and video conferences. Along with Office 365 Groups, it brings together the full breadth of Office 365 into one central hub for teams to collaborate. Applications such as Word, Excel, PowerPoint, SharePoint, OneNote, Planner, and Delve are all integrated into Microsoft Teams. The main goal for this latest service offering is to provide users with all the information and tools they need securely on any device at any time.

While Office 365 provides an ever growing set of features, the challenges for IT professionals typically focus on whether the features are mature enough to deploy in their organization. The decision to deploy what functionality the organization needs include business need, compliance, user experience, and support. The decision in deploying new technologies should also be focused on how to prevent users from stumbling over all of the available applications and features in Office 365. To help your organization realize business value faster with Microsoft Cloud, a service called ‘FastTrack’ is provided by Microsoft. The image below from Microsoft Ignite shows the most recent capabilities of Microsoft FastTrack. To further assist your organization, a step-by-step guide with the FastTrack site is available here.


A whitepaper from 2toLead on “When To Use What In Office 365” has been published to help guide organizations and users accelerate their usage and adoption of Office 365. This is a great start for organizations that are planning to move to Office 365 or ones that have already deployed it.

Some important factors to help users adopt Office 365 include:

  • Cultural Change – Users will need help moving from their client based to cloud based applications. Establish daily tips to improve understanding and awareness of the new technology.
  • Embraced by Leadership – Business stakeholders and influencers must be identified and engaged early in the new technology
  • Establish Governance – Set clear policies for usage, security, and management of content
  • Pilot – Before rolling out a new application or feature to the enterprise, test usability with a small group of users from different areas of the organization
  • Campaign – Create an effective internal adoption roadmap and channels to capture user feedback

Understanding and providing ways to help business challenges are keys in gravitating users towards Office 365. Adoption is a continuous cycle that doesn’t end after launch date. As your business needs change, and new service offerings are released in Office 365, the adoption cycle will continue to be a key component for your organization. Office 365 is in a state of constant change, the public roadmap can help you keep aware of new features or updates that may be beneficial to your organization.

To learn more on how Centric Consulting can help you with Office 365 adoption, visit us at

Migrating SharePoint to Office 365 – Best (Recommended) Practices

Leave a comment

Microsoft Office 365 user population has recently hit 85 million commercial users ( As the user base continues to grow, we’ve seen a growing interest amongst our clients in moving their on-premises SharePoint farms to Office 365. The most critical part of a SharePoint migration project involves planning for the migration itself. With the different number of factors involved including the limitations of out-of-the-box migration options, this can complicate the project and introduce undesirable risk. It is critical to plan a SharePoint migration carefully and fully take into account all variables involved in the migration process.

Once a decision is made to move your SharePoint sites to the Office 365, you will need to consider – what does success look like to you? Whether the new platform is SharePoint Online or Hybrid, the following recommendations could be used as starting points for your migration.


  • If you have SharePoint On-premises, run the OnRamp for Office 365 Tool to assist you with discovery activities related to Office 365 deployment (screenshot below)


  • Custom domain – if you plan on using your own domain (ex:, make sure this domain has been verified
  • Make sure Office 365 tenant is ready – licenses, connectivity (network/firewall), and security must be in place
  • On-premises AD schema and forest functional level – MUST be at Windows Server 2003 or later if you plan on using Azure AD Connect
  • Prepare Active Directory before synchronize – run IdFix on your on-prem Active Directory and fix errors on accounts targeted to be synchronized
  • ADFS – if you consider deploying ADFS, you’ll need to use SSL Certificates
  • Take an inventory – this includes content, information architecture, design, and custom solutions
  • Decide what to move – take only what you will need – archive and delete redundant and/or legacy data
  • Prioritize and classify all content – tag content with metadata including Business Unit, and any other relevant data. Prioritize content with criteria such as business critical, important, nice to have, etc.
  • Select the right migration tool – Many commercial tools are available to assist with migrating to Office 365
  • Communication – some people tend to forget – make sure to communicate, communicate, and communicate


  • Start with a pilot migration – use a representative sample of data to confirm technical feasibility of the migration, and identifies gaps
  • Migrate in batches – for larger organizations, divide content in batches to migrate


  • Testing and validation – validates the success of the migration from the perspective of whether or not the infrastructure of the target environment meets the requirements of the business; this includes network latency, permission, custom solutions, etc. Repeat this process for each batch of the migration.
  • Transition of users – this includes ‘freezing’ the source environment, and perform one final synchronization of changes, and transitioning users to the target environment. Again, repeat this process for each batch of the migration.

In conclusion, migration of existing business content to SharePoint Online is not trivial. Ideally, organizations should spend time planning, discovering, and auditing the content, starting with the pre-migration checklist above. Lastly, whenever possible, comprehensive testing after each migration batch should be performed to minimize risk.

Centric has assisted many organizations with SharePoint and Office 365 upgrades and migrations. To learn more about how Centric Consulting can help with your upgrade or migration, visit us at

Older Entries